Dissecting the Facebook Gift Scam: How They Get You

"Get free stuff!" is a common lure scammers use on Facebook. It doesn't matter if the pitch is for a free airplane ticket, a free iPad, or just a voucher for a free coffee. Everyone likes getting something for free.

Scammers are using Facebook elements such as "Likes" and comments to make gift scams more believable to users, Troy Hunt, a software architect and security researcher who has analyzed passwords from past breaches, wrote last week on his blog. The Facebook gift scam takes a "cunning" approach and "chains together numerous illusions" and other methods to trick victims, Hunt wrote.

While the bulk of Hunt's analysis focused on a supposed $400 voucher promotion from Australian retailer Woolworths, there are similar scams for other retailers, including Starbucks, Costco, and Harvey Norman, he said.

"The scam relies of the power of social media leverage by making the victim the advocate for the scam. It’s their wall that's telling all their friends how awesome the scammer's page is," Hunt wrote.

It all begins with a friend. Or more precisely, a post from a Facebook friend in the Newsfeed advertising a voucher or a free gift from a company. Users who click on the link first land on the promotion page, which displays a share widget, user comments, and a Like button. After the user completes all three steps (and ensures friends will now see the post in their Newsfeeds), the user is redirected several times before landing on the final scam page. It may be a survey site, a form asking users to fill out information to win a prize, or some other malicious site. There will be no sign of that initial free gift, though.

Social EngineeringThe scam's promotion site has three social engineering elements to trick users: a "vouchers remaining" counter, list of user comments, and the number of Likes the page has received. The counter "Free Vouchers Remaining" triggers a sense of urgency, because it implies the user needs to act fast before other people snatch them all up, Hunt said. The counter decrements a random number approximately every second. Since it's not regularly dropping by 1 or 2 each time, it looks more believable, Hunt said.

The user comments are also fake. In fact, the page isn't even displaying the Facebook widget to pull the comments in, but a static image of random users, according to Hunt's analysis. The over 6 million likes on the page is also a static image. Clicking on it kicks off the multiple redirects to send the user to the final scam page.

"Undoubtedly there are many different routes the scam can take, there would be more than one variant of it and almost certainly there are multiple other parties implementing similar scams," Hunt wrote.

Making the Scam WorkWhile acknowledging that these scams do work, most of them have a "terrible success rate," Hunt said. To maximize the success rate, scammers may first do a quick check of the user's location. For the Woolworths scam, the user clicking on the link in the Newsfeed triggers a piece of JavaScript code which checks the user's location. Users outside Australia, Albania, New Zealand, South Africa, and Canada are redirected to Google and never see the actual scam, Hunt found. Presumably, if the retailer being used in the scam had a bigger presence in the U.S., the target location would have included U.S.-based users.

Scammers are also hiding their tracks by jumping all over the globe. Hunt looked at the Woolworths scam and found that the domain name of the promotion site is registered to a "James Smith" in Albania. The IP address of the server hosting the promotion site belongs to a German host, Hunt said. The fact that users are redirected repeatedly before landing on ultimate scam page also makes it difficult to trace the scam.

People in Australia are being scammed by a user in Albania using a server hosted in Germany. "Who do the cops speak to?" Hunt asked, noting that the geographic distribution of these kinds of scams make them too complex to investigate.

If It Sounds Too Good…By tricking users, scammers may be receiving rewards for click-through rates as users click on every page, earning affiliate dollars for referring users to the site, or having surveys filled out. It could also lead to identity theft.

As far as Hunt is concerned, if the scam sounds too good to be true, it probably is.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service